General
-
Target
SecuriteInfo.com.Exploit.CVE-2018-0798.4.2895.29675.rtf
-
Size
23KB
-
Sample
221123-lkxzwabf45
-
MD5
2c568a0469240235e8cf0ef7979ad06c
-
SHA1
34cfa76b4c6023ddb1c607813436789b78543ff9
-
SHA256
ee9b9bc0f963a10dfb20e8ab725c250f6e26d6888f476853beca56537b50035e
-
SHA512
159c96c91c5b784fc343088fdf02e069e77fef15e570f559dce595038c928e056eccc026dba592fec96f892bf111312703ad66328f4463ac89685b05cbe9e64f
-
SSDEEP
384:mQMmdOFNYY0aaaIswqPeOrka1+fHQJ+t3rQkRhZJK6psqFOjSdpLv7UciEUzcQ:SFx0XaIsnPRIa4fwJMnKkrF6EpLv7CcQ
Malware Config
Extracted
agenttesla
https://api.telegram.org/bot5603599252:AAFMdBzOyqWZ9kTMnZ7mBvML6rVOBz2Xfdk/
Targets
-
-
Target
SecuriteInfo.com.Exploit.CVE-2018-0798.4.2895.29675.rtf
-
Size
23KB
-
MD5
2c568a0469240235e8cf0ef7979ad06c
-
SHA1
34cfa76b4c6023ddb1c607813436789b78543ff9
-
SHA256
ee9b9bc0f963a10dfb20e8ab725c250f6e26d6888f476853beca56537b50035e
-
SHA512
159c96c91c5b784fc343088fdf02e069e77fef15e570f559dce595038c928e056eccc026dba592fec96f892bf111312703ad66328f4463ac89685b05cbe9e64f
-
SSDEEP
384:mQMmdOFNYY0aaaIswqPeOrka1+fHQJ+t3rQkRhZJK6psqFOjSdpLv7UciEUzcQ:SFx0XaIsnPRIa4fwJMnKkrF6EpLv7CcQ
Score10/10-
AgentTesla
Agent Tesla is a remote access tool (RAT) written in visual basic.
-
Blocklisted process makes network request
-
Downloads MZ/PE file
-
Executes dropped EXE
-
Loads dropped DLL
-
Reads data files stored by FTP clients
Tries to access configuration files associated with programs like FileZilla.
-
Reads user/profile data of local email clients
Email clients store some user data on disk where infostealers will often target it.
-
Reads user/profile data of web browsers
Infostealers often target stored browser data, which can include saved credentials etc.
-
Accesses Microsoft Outlook profiles
-
Looks up external IP address via web service
Uses a legitimate IP lookup service to find the infected system's external IP.
-
Suspicious use of SetThreadContext
-